Updating NEWS.md

NEWS.md

 # Change Log
 
+## [6.2.36](https://github.com/sympa-community/sympa/tree/6.2.36)
+
+[Full Changelog](https://github.com/sympa-community/sympa/compare/6.2.35b.1...6.2.36)
+
+**Changes:**
+
+- Scenarios `subscribe.*` and `unsubscribe.*`: Now authentication by target user is required when anonymous/other user requested these actions [\#390](https://github.com/sympa-community/sympa/pull/390). Previously, if "open" scenario was used, an anonymous user on web interface could add subscriber without confirmation.
+- WWSympa: Home-made color picker in CSS configuration page was replaced with external plugin [jQuery MiniColors](https://labs.abeautifulsite.net/jquery-minicolors/) [\#369](https://github.com/sympa-community/sympa/pull/369).
+- WWSympa: `referer` and `failure_refarer` parameters fed to login form (see [documentation](https://sympa-community.github.io/manual/customize/authentication-web.html#sharing-wwsympas-authentication-with-other-applications) for details) are limited within scope of `cookie_domain` to prevent XSS / open redirect [\#268](https://github.com/sympa-community/sympa/issues/268).
+- Default value of `--with-lockdir` option for `configure` script became `/var/lock/subsys` not according to `localstatedir` [\#403](https://github.com/sympa-community/sympa/pull/403).
+- Some Systemd unit files generated by source package were renamed: `wwsympa.service` and `sympasoap.service` [\#406](https://github.com/sympa-community/sympa/pull/406).
+
+**Implemented enhancements:**
+
+- Update startup scripts [\#406](https://github.com/sympa-community/sympa/pull/406) ([ikedas](https://github.com/ikedas))
+- Domain without available wwsympa\_url parameter should deny web access [\#405](https://github.com/sympa-community/sympa/pull/405) ([ikedas](https://github.com/ikedas))
+- Let the default of `--with-lockdir` be `/var/lock/subsys` always [\#403](https://github.com/sympa-community/sympa/pull/403) ([ikedas](https://github.com/ikedas))
+
+**Fixed bugs:**
+
+- DKIM per-list options not saved [\#412](https://github.com/sympa-community/sympa/issues/412)
+- Merge\_feature active and attached file with special characters [\#409](https://github.com/sympa-community/sympa/issues/409)
+- Error in the name of a function in wwsympa.fcgi [\#404](https://github.com/sympa-community/sympa/issues/404)
+- Internal Server Error: Can't locate object method "\_marshal\_format" in Spool.pm \(71\) [\#401](https://github.com/sympa-community/sympa/issues/401)
+- Rename a list takes incredible time [\#368](https://github.com/sympa-community/sympa/issues/368)
+- Avoid "subscribe spam" [\#302](https://github.com/sympa-community/sympa/issues/302)
+- XSS and open redirect on login form, CVE-2018-1000671 [\#268](https://github.com/sympa-community/sympa/issues/268)
+- Update startup scripts [\#406](https://github.com/sympa-community/sympa/pull/406) ([ikedas](https://github.com/ikedas))
+
+**Closed issues:**
+
+- Issues with sending mails using special French characters [\#178](https://github.com/sympa-community/sympa/issues/178)
+
 ## [6.2.35b.1](https://github.com/sympa-community/sympa/tree/6.2.35b.1) (2018-08-26)
 
 [Full Changelog](https://github.com/sympa-community/sympa/compare/6.2.34...6.2.35b.1)